Post AtX8H2rw8g7LWOfK2y by ricci@discuss.systems
(DIR) More posts by ricci@discuss.systems
(DIR) Post #AtWwEjWxa8hn7XpBlQ by ricci@discuss.systems
2025-04-27T22:31:36Z
1 likes, 3 repeats
I was asked a really interesting question about whether the US government (or others, but we all know why people are worried about the US right now) could seize domain names, and what would happen if they did.This is:* An excellent question* Quite important to answer* Probably impossible to answer in practice:thread: 1/?Let's dig in, based on what I know (which to be clear is mostly on the technical side, I don't know a lot on the legal side; I invite additional information added or corrected by people with more knowledge):The question here is about the vulnerability of the DNS to government-level attacks. I am going to limit the scope of this post to the DNS; there are plenty of potential nation-state attacks on the Internet, I can't talk about all of them nor am I qualified to.The good news is that this is, in fact, the kind of attack that people have thought about quite a bit when designing and deploying these systems. That does not, however, mean that they are invulnerable to or that there are not hidden dependencies or vulnerabilities - and honestly the reason why this question is impossible to answer is that there are probably enough hidden dependencies that we just don't know what will fail until (if) somebody tries it.If someone tries to seize domain names, either one at a time or in bulk, the direct point of attack would be against the domain registrars; these are the entities who you pay to register the name, and who maintain the top-level information about them, such as whose name they are registered in, the contact information for those parties, and which DNS servers are authoritative for providing further information about those domains. Note that those DNS servers *may* be provided by the registrar, but they don't have to be. More about domain name registrars here: https://en.wikipedia.org/wiki/Domain_name_registrarSo what's the attack? The government tries to force the registrar to either de-register the names, or re-register them to another party. They would do so by applying legal pressure on the registrar.This is one place where there is probably a very thorny legal question: who *owns* the domain name, really? Does the registrar own it? Does the registrant own it? There may be law on this, but I'm not aware of it; I do know that there have been cases regarding trademark law to reassign domain names, some of which have been successful. I'd love (for some definition of "love") to learn more here if folks have good sources to contribute.The good news on this front is that there are lots of registrars. Tons. One would assume that a government would have the most leverage, by far, against registrars in their own jurisdiction. Registrars are, however, spread out all across the world, and most domains are portable across registrars - you can move your domain to a different registrar just like you can move your mobile phone number to a different carrier in many (most?) countries. Most TLDs (the last bit in the domain name, such as .com. .org, .social, etc.) are handled by a large number of registrars. So, for most domain names, there is a fairly straightforward step to take for protection: transfer the domain to a registrar outside the jurisdiction you are concerned about. There is, for example, no registrar one can go to in order to seize all .com domains for a given country. (Some TLDs have different rules, but I'm not going to get into that here.)Basically, attacking this at a large scale is not impossible, but it would require a lot of resources and can only move so fast, giving domain name owners a chance to try to take proactive steps. It could certainly be disruptive, and targeted attacks against certain domains are possible, but there is enough resiliency that it's very, very hard to snatch the whole thing in one go.So, let's go deeper: who gives the registrars the ability to register individual domain names?In fact, let's go straight to the root: IANA: https://en.wikipedia.org/wiki/Internet_Assigned_Numbers_Authority . This is the standards organization that administers the list of TLDs and the information in the root DNS servers. It is international; that probably makes it hard for individual governments to assert control over it, though it's hard to say, maybe it means any member is a point of vulnerability instead. IANA more or less delegates responsibility to administering specific TLDs to other organizations; for example, .com is administered right now by Verisign: https://en.wikipedia.org/wiki/.com . Those organizations are themselves a potential point of vulnerability for seizing individual domain names; the system overall does have enough resiliency built in that if one domain name is seized, this does not prevent the person or organization that registered it from getting a new domain name in a different TLD: this is commonly done by sites that are not legal in certain jurisdictions, for example.
(DIR) Post #AtWwR1aAIA2Ia9BVYG by ricci@discuss.systems
2025-04-27T22:33:48Z
3 likes, 2 repeats
🧵 2/2IANA is administered by ICANN: https://en.wikipedia.org/wiki/ICANN . Again, ICANN is an international organization, but its headquarters are in the United States. I would compare this to the United Nations, which also has its headquarters on US soil. Yes, the US could put the organization's property and some of its personnel under threat, and it could be quite disruptive, but the organization is global enough that it almost certainly could continue its operations and maintain its desired policies under such an attack.Let's also talk about the physical infrastructure at the root of the DNS. When you look up example.com, your DNS resolver (conceptually) goes to the root to ask where the DNS servers for .com are, then asks those servers where the DNS servers for example.com are. These root servers are extremely important, if utterly invisible to most people. There are currently thirteen root DNS servers: https://en.wikipedia.org/wiki/Root_name_server . However, each 'root server' is actually a bunch of root servers, many of them spread across the globe in various countries. The picture attached to this post shows where the physical servers are. Most of the operators of the root servers are American companies, but there are also companies headquartered in the Netherlands, Sweden, and Japan. We are probably pretty safe on this front.Let's wrap up by moving a level up, to the DNS server closest to your own computer.Unless you've done any special configuration (and you will know if you have...) you are probably using either one two DNS servers: most devices and software on your network are probably using your ISP's DNS server, and your browser *might* be using a third-party DNS server via DoH. Could a government compel your ISP to hijack DNS requests? Legally, I don't know, but on a technical level, mostly yes. Doing so would involve adding entries to their DNS servers that differ from the "real" ones, and returning those to you instead. This would essentially hijack the domain for all customers of that ISP. An attacker would have to do this ISP by ISP; this is easier in some places than others - in some countries the ISPs are already functionally arms of the government, in others they are independent but have consolidated down to just a few options, and others have more diversity.Ah, but, you say, DNSSEC! And yes, DNSSEC! For most of its history, the DNS has not provided a way to verify that the answer you get is legitimate instead of, say, replaced by your ISP as described above. Some time back, a set of extensions to DNS was put together to prevent such attacks: https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions . There is more detail here than I could possibly go into, but this mechanism is (1) deployed on some TLDs but not all, (2) deployed only spottily on domains within the TLDs that support it, and (3) not universally checked by all resolvers. So: yes, DNSSEC helps - it generally protects the domains that have deployed it from being hijacked, even under threat to the ISP, but its effects are uneven.ISPs can relatively easily block you from using DNS servers other than their own - AFAIK, most don't, currently, but they can, because DNS requires UDP port 53, so it's easy to recognize and block.So, let's talk about DoH - this is DNS over HTTPS, and it gives you an encrypted way to make DNS requests and uses the same TCP port as HTTPS, making it harder for an ISP to block. Like DNSSEC, the more DoH there is in use, the less effective ISP-level domain hijacking is. Lately, browser vendors have started experimenting with making DoH the default for at least some users in at least some places; both Firefox and Chrome turned it on by default for some users in 2020: https://en.wikipedia.org/wiki/DNS_over_HTTPS . But, this is not 100% a win for freedom from government attacks: Chrome uses Google's DNS servers by default, and Firefox uses CloudFlare's - this can be changed, but it's a re-centralization, and therefore an attractive attack target for governments that have leverage over these two organizations.So to conclude: the DNS is a very messy system with lots of points that could be attacked by a government, but it is also comprised of enough systems, organizations, and protocols that attempts to seize domain names are likely to be hard to do at scale, and while the opportunity for mass disruption does exist, it is unlikely to meet with much long-term large-scale success.
(DIR) Post #AtWx1IHTgUP8nSjqAC by sun@shitposter.world
2025-04-27T22:40:22.822881Z
1 likes, 1 repeats
@ricci don't they already do this a lot
(DIR) Post #AtWxcsw8MVN3CHgD1E by bajax@baj.ax
2025-04-27T22:46:07.882919Z
0 likes, 0 repeats
@sun @ricci after a while it becomes obvious they're just hoping that the usgov takes one of their domains for political reasons. dunno whether it's to bitch and whine about or so they get a chance to cosplay as freedom fighters
(DIR) Post #AtWy3eUYAxeKDRXcUS by ricci@discuss.systems
2025-04-27T22:52:01Z
1 likes, 0 repeats
@sun some, on an individual case by case basis. I may not have made it clear enough that the attack scenario I'm considering here is a more bulk seizure at large scale
(DIR) Post #AtWyt6wW9fSlDx9zxw by sun@shitposter.world
2025-04-27T23:01:19.986383Z
0 likes, 1 repeats
@ricci thanks for the clarification, I understand better now.
(DIR) Post #AtWzoZ4UFKJcyAHeuu by ricci@discuss.systems
2025-04-27T23:11:37Z
0 likes, 0 repeats
@4censord Yeah I thought about including that example, which is excellent on many levels, but man this thing barely fit into two 5k character posts as it is :)
(DIR) Post #AtWzyGhFPzQMsQ2bGy by ricci@discuss.systems
2025-04-27T23:13:22Z
0 likes, 0 repeats
@crystalmoon Interesting on the Italy and Spain thing, this must be a local law - I wonder if it's legal to use DoH there to bypass these or not?For as little as I know about the US law around this stuff, I know less about elsewhere in the world...
(DIR) Post #AtX25lBEg9BhM6lenQ by crystalmoon@chaos.social
2025-04-27T23:36:52Z
0 likes, 0 repeats
@ricci I assume so, but they *could* use a Sandvine appliance or something to still track IP contacts. At least where I live that is the method of choice
(DIR) Post #AtX2ukNxOSZfew1wyu by davidaugust@mastodon.online
2025-04-27T23:20:45Z
0 likes, 1 repeats
@ricci Sounds like, to summarize, there are vulnerabilities a government could try to exploit, but at scale difficult to sustain disruptions as the systems are complex & not entirely centralized. If sdomain seizures happen, “…process used by Operation In Our Sites was codified in 18 U.S.C. § 981(b)(2), which provides a legal framework for property seizures by the government,” perhaps having mirrors ready to deploy could be a counter measure? https://en.wikipedia.org/wiki/Operation_In_Our_Sites
(DIR) Post #AtX6ZUUlg32Y71KtKy by jtk@infosec.exchange
2025-04-28T00:27:04Z
0 likes, 0 repeats
@ricci Many have written and said much about the threats to the DNS by the U. S. government. A lot of the paranoia historically came from kooks, grifters, and cranks, some of whom have tried to push alternative roots. A more recent version of that may involve a blockchain. Some of that fear is not entirely unreasonable to the uninitiated, but was and remains a tech phobia.In 2025, the threat may seem greater than ever before, but I'd argue it remains grossly overblown. There are a variety of reasons for this. Some are the practical limits of power the executive branch has. Mostly, there are numerous technical, economic, and social checks that protect the system. It would take a long, detailed essay, maybe one we should write one, to enumerate a number of convincing arguments to lay people on all the reasons why they should worry less about this.
(DIR) Post #AtX8H2rw8g7LWOfK2y by ricci@discuss.systems
2025-04-28T00:46:13Z
0 likes, 0 repeats
@davidaugust Yeah, I would say that the system is truly centralized enough to survive most large attacks. I do think a government can do quite a bit of damage, especially in its own borders, but there are plenty of opportunities for the system to heal itself
(DIR) Post #AtX8o2GRPNp1CarGeu by ricci@discuss.systems
2025-04-28T00:52:27Z
0 likes, 0 repeats
@jtk I would guess that at least once in the next 4 years there will be a serious effort to seize one or more domains from a political competitor - for example, the "investigation" of ActBlue turns into a declaration (without trial) that it is a money launderer and a threat to national security, and seizure of its domain name will be listed as part of the "consequences".I expect such an attempt to fail.I think we will *probably* not see a large scale attack by the US on the DNS, because I expect that it would both fail in the medium term and be extremely disruptive in the short term. However, we have seen this administration undertake several things that fall under this description, so I think it's worth considering how possible it is.
(DIR) Post #AtXKtN0Avsw4PtYmvo by ricci@discuss.systems
2025-04-28T03:07:52Z
0 likes, 0 repeats
@jtk I think we'll find out. They are, at least so far, very into (a) finding everything that can possibly be used as a weapon, even if it has not been used that way before, and (b) loudly announcing it even if doing so makes it less likely to be successful. I think current leadership at the FBI and DOJ simply don't yet realize that seizing websites is something the FBI actually does, and that once they realize it, we'll know But I still think a large scale attack on the DNS is far less likely
(DIR) Post #AtXP0PvIrvqXJxtgES by rskurat@mastodon.online
2025-04-28T03:53:55Z
0 likes, 0 repeats
@ricci ICANN'T is all about the Benjamins so the short answer is Yes